Ministry of Digital Development to Assess Government System Vulnerabilities

While monitoring the government procurement website, we discovered a tender from the Ministry of Digital Development for “Performing independent security analysis of government information systems (perimeter vulnerability search, penetration testing), including mobile applications.” The starting price is 149,681,625.90 rubles.

The competition is being held in a closed format, a practice often used to avoid Western sanctions against contractors working with Russian authorities. The tender description lacks specific details; only the application deadline and review dates are known: November 29 and 30 of this year, respectively.

Applications must be submitted “in accordance with the closed competition documentation and the requirements of Russian Federation legislation on state secrets.”

Expert Opinions on the Tender

According to Philipp Kulin, creator of “Escher II,” the tender likely involves checking government systems at critical information infrastructure (CII) sites, particularly for data security. “It’s unlikely to be about the ‘sovereign Runet.’ It’s more likely related to Federal Law 187 or something similar,” he suggests. “The mention of ‘perimeter’ and such is probably just for show. I think this is a practical tender to check ‘what kind of mess do we have in our towers?’—at least, that’s how it looks.”

On the other hand, Vadim Misbakh-Solovyov, a technical specialist at RosKomSvoboda, believes the tender is about checking the Roskomnadzor data center, which manages TSPU (technical means of countering threats).

Details of the Tender

According to the closed competition notice, the work will be carried out at the contractor’s facilities and at the sites of federal executive authorities of the Russian Federation, as well as subordinate institutions located within Russia, which will provide access to government information systems.

The delivery or completion period is from the date the government contract is signed until March 31, 2022.

Related Initiatives

Recently, Kommersant reported on a draft order by the Ministry of Digital Development introducing unscheduled inspections of compliance with personal data processing laws, to be conducted by Roskomnadzor. According to the proposal, such inspections will be possible if more than ten reports about the distribution of a company’s databases online are received within six months.

“The Ministry of Digital Development proposes to establish indicators that would signal a risk of violating mandatory requirements for personal data processing control. For example, if more than ten reports about the distribution of a company’s personal data databases online are received within six months, Roskomnadzor will be able to conduct unscheduled inspections of compliance with personal data processing laws,” the document states.